CVE-2025-15115 identifies a critical security weakness in the Petlibro Smart Pet Feeder Platform's social login OAuth implementation. The vulnerability arises from improper validation of OAuth tokens during third-party authentication via Google accounts. Specifically, the endpoint /member/auth/thirdLogin accepts requests containing Google IDs and phoneBrand parameters without verifying the authenticity of the OAuth tokens. This flaw allows an attacker to impersonate any user by submitting arbitrary Google IDs, bypassing the intended authorization checks. Consequently, the attacker receives valid session tokens granting full access to the victim's account, including control over the smart pet feeder device and access to any personal data stored within the platform. The vulnerability affects all versions up to 1.7.31, with no patch currently available. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and limited impact on confidentiality and integrity (VC:L, VI:L), resulting in a medium severity rating of 6.9. No known exploits have been reported in the wild, but the ease of exploitation and potential for unauthorized access make this a significant threat to users. The flaw undermines the trust model of OAuth-based social login, a common authentication mechanism in IoT platforms, highlighting the importance of robust token validation. Given the increasing integration of IoT devices in consumer environments, exploitation could lead to privacy breaches and unauthorized device manipulation.

For European organizations and consumers using the Petlibro Smart Pet Feeder Platform, this vulnerability could lead to unauthorized account takeovers without requiring any authentication or user interaction. Attackers gaining access to user accounts can manipulate device settings, potentially disrupting pet feeding schedules or causing device malfunctions. Additionally, attackers may access personal user information stored in the platform, leading to privacy violations. While the direct operational impact on critical infrastructure is low, the compromise of consumer IoT devices can erode user trust and expose organizations managing these platforms to reputational damage and potential regulatory scrutiny under GDPR for inadequate protection of personal data. The medium severity rating reflects moderate confidentiality and integrity impacts but no availability impact. European companies involved in the distribution, support, or integration of Petlibro devices may face increased support costs and liability risks. The lack of a patch increases the urgency for mitigation to prevent exploitation. Given the growing IoT market in Europe, widespread exploitation could have a notable cumulative effect on consumer security and privacy.

Immediate mitigation should focus on restricting access to the vulnerable endpoint /member/auth/thirdLogin through network-level controls such as IP whitelisting or rate limiting to reduce exposure. Organizations should monitor logs for suspicious authentication attempts involving arbitrary Google IDs or unusual usage patterns. Implementing multi-factor authentication (MFA) on user accounts, if supported by the platform, can add an additional layer of defense. Users should be advised to change their passwords and review account activity regularly. Petlibro should be engaged to prioritize development and deployment of a patch that properly validates OAuth tokens against the issuing authority before granting session tokens. Until a patch is available, organizations could consider disabling social login features or isolating affected devices on segmented networks to limit potential damage. Security teams should educate users on the risks of using social login and encourage use of direct authentication methods if available. Finally, integrating anomaly detection systems to flag unusual login behaviors can help detect exploitation attempts early.